[nsp-sec] Cisco CPE hitting dst=0.0.0.0 NULL desthost
Mike Lewinski
mike at rockynet.com
Thu Apr 10 10:43:00 EDT 2014
On 4/10/14 10:08 AM, Chris Morrow wrote:
> these are caught in outbound filters off the CPE toward your network?
No, IOS threw exceptions at our syslog. I don't think these packets left
the local routers. Here's what a single event looked like in full:
23:12:48 s0-850-s-boulderrd src=204.144.129.73 dst=0.0.0.0 NULL desthost
23:12:48 s0-850-s-boulderrd -Process= "IP Input" ipl= 0 pid= 22
23:12:48 s0-850-s-boulderrd -Traceback= 8026C6C8 8026BA8C 8026BE38
8027B564 802421BC 80243108 8023EF9C 8027B48C 80261754 8025F47C 8025F574
8025F70C 8014DED8
All of them logged similar three lines. Google didn't find much to
explain, but one post had a query about GRE which has me thinking maybe
the source are miscreants looking for a way to capture traffic and use
heartbleed to maximum effect.
> are the hosts owned/used by someone at the same company? could this be
> someone's software upgrade (on machines) gone bad? (or the equivalent)
No, these are shared T1s used by lots of disparate small businesses.
I meant to say that timestamps are MDT / -6 UTC. It's unlikely there was
anyone in most of these sites actively using the connections at 11pm.
These are mostly 9-5 folks, CPAs, lawyers, etc.
I also checked our tacacs logs but found nothing there corresponding in
time.
I also checked our traffic/cpu/memory graphs for the kinds of spikes
that typically accompany DDOS, again there was nothing interesting.
While I still have logins to those hosts, they're effectively off my
network and not my direct responsibility anymore.
Mike
More information about the nsp-security
mailing list